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QUESTION 1 

Your network contains an Active Directory forest. The forest contains two domains. You have a standalone root 
certification authority (CA). 


On a server in the child domain, you run the Add Roles Wizard and discover that the option to select an 
enterprise CA is disabled. 


You need to install an enterprise subordinate CA on the server. 


What should you use to log on to the new server? 


A. an account that is a member of the Certificate Publishers group in the child domain 

B. an account that is a member of the Certificate Publishers group in the forest root domain 
C. an account that is a member of the Schema Admins group in the forest root domain 

D. an account that is a member of the Enterprise Admins group in the forest root domain 


Correct Answer: D 


Reference: 
QUESTION 2 


You have an enterprise subordinate certification authority (CA). You have a group named Group1. 


You need to allow members of Group to publish new certificate revocation lists. Members of Group1 must not 
be allowed to revoke certificates. 


What should you do? 


A. Add Group1 to the local Administrators group. 

B. Add Group1 to the Certificate Publishers group. 

C. Assign the Manage CA permission to Group1. 

D. Assign the Issue and Manage Certificates permission to Group1. 


Correct Answer: C 


Reference: 
QUESTION 3 


You have an enterprise subordinate certification authority (CA) configured for key archival. Three key recovery 
agent certificates are issued. 
The CA is configured to use two recovery agents. 


You need to ensure that all of the recovery agent certificates can be used to recover all new private keys. 
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What should you do? 


> 


. Add a data recovery agent to the Default Domain Policy. 

B. Modify the value in the Number of recovery agents to use box. 

C. Revoke the current key recovery agent certificates and issue three new key recovery agent certificates. 

D. Assign the Issue and Manage Certificates permission to users who have the key recovery agent certificates. 


Correct Answer: B 


Reference: 

QUESTION 4 

You have an enterprise subordinate certification authority (CA). The CA is configured to use a hardware 
security module. 

You need to back up Active Directory Certificate Services on the CA. 

Which command should you run? 


A. certutil.exe backup 

B. certutil.exe backupdb 
C. certutil.exe backupkey 
D. certutil.exe store 


Correct Answer: B 


Reference: 
QUESTION 5 


You have Active Directory Certificate Services (AD CS) deployed. You create a custom certificate template. 


You need to ensure that all of the users in the domain automatically enroll for a certificate based on the custom 
certificate template. 


Which two actions should you perform? 
(Each correct answer presents part of the solution. Choose two.) 


A. In a Group Policy object (GPO), configure the autoenrollment settings. 

B. In a Group Policy object (GPO), configure the Automatic Certificate Reguest Settings. 

C. On the certificate template, assign the Read and Autoenroll permission to the Authenticated Users group. 
D. On the certificate template, assign the Read, Enroll, and Autoenroll permission to the Domain Users group. 


Correct Answer: AD 
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Reference: 

QUESTION 6 

You have an enterprise subordinate certification authority (CA). You have a custom Version 3 certificate 
template. 


Users can enroll for certificates based on the custom certificate template by using the Certificates console. 


The certificate template is unavailable for Web enrollment. You need to ensure that the certificate template is 
available on the Web enrollment pages. 


What should you do? 


A. Run certutil.exe pulse. 

B. Run certutil.exe installcert. 

C. Change the certificate template to a Version 2 certificate template. 

D. On the certificate template, assign the Autoenroll permission to the users. 


Correct Answer: C 


Reference: 

QUESTION 7 

You have an enterprise subordinate certification authority (CA). You have a custom certificate template that has 
a key length of 1,024 bits. The template is enabled for autoenrollment. 


You increase the template key length to 2,048 bits. 


You need to ensure that all current certificate holders automatically enroll for a certificate that uses the new 
template. 


Which console should you use? 


A. Active Directory Administrative Center 
B. Certification Authority 

C. Certificate Templates 

D. Group Policy Management 


Correct Answer: C 


Reference: 


OUESTION 8 
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Your network contains an Active Directory forest. All domain controllers run Windows Server 2008 Standard. 
The functional level of the domain is Windows Server 2003. You have a certification authority (CA). 


The relevant servers in the domain are configured as shown in the following table: 


Server! Windows Server 2003 Enterprise root CA 


Windows Server 2008 Enterprise subordinate CA 


You need to ensure that you can install the Active Directory Certificate Services (AD CS) Certificate Enrollment 
Web Service on the network. 


What should you do? 


A. Upgrade Server1 to Windows Server 2008 R2. 

B. Upgrade Server2 to Windows Server 2008 R2. 

C. Raise the functional level of the domain to Windows Server 2008. 

D. Install the Windows Server 2008 R2 Active Directory Schema updates. 


Correct Answer: D 


Reference: 


QUESTION 9 


Your company has an Active Directory forest that contains multiple domain controllers. The domain controllers 
run Windows Server 2008. 

You need to perform an an authoritative restore of a deleted orgainzational unit and its child objects. 

Which four actions should you perform in sequence? (To answer, move the appropriate four actions from the 
list of actions to the answer area, and arrange them in the correct order.) 


Build List and Reorder: 
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use the ntdsutil utility to mark the 
organizational unit as authoritative 


use the dsadd utility to recreate the 
organizational unit 
restart the domain controller in safe 


Correct Answer: 


restart the domain controller in directory 
services restore mode (DSRM). 

restore the system state data to a date before 
the organizational unit was deleted 

use the dsadd utility to recreate the 
organizational unit 

restart the domain controller 


Reference: 
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